Manager breaching confidentiality?

[chocolateworshipper]

Can anyone advise whether this breaks any law e.g. GDPR?

A manager receives an email which clearly states that the attached file will contain personal (medical) information information about an employee. The manager then opens the attachment with an employee (non-manager and not the one that the attached file is about) sat next to them, so that the employee can see exactly what is contained in that file. The manager comments on the contents and also tells the employee more details about the medical condition of the other employee.

If the employee sitting next to the manager has no professional need to know about the medical details of the employee, for example not HR or OH and not line manager, then yes it is highly unprofessional of the manager not to keep the electronic information confidential. It breaches confidentiality.

Furthermore it's bad enough opening the file in the person's presence, then proceeding to discuss the contents strips the (sick) employee of dignity by talking about their medical condition.

Not saying it's right, but it happens a lot in organisations- people just don't get their responsibility on this stuff, and often lack the moral compass to know you just don't do it, it's wrong!

Thanks Daisy - I should have clarified that the person sitting next to the manager was not HR / OH / management etc. Would this be a GDPR breach do you know?

Personal data shared in a way that was not intended (which your description suggests is the case, as the email was marked private and confidential, and clearly contained sensitive personal identifiable information), is classed as a data breach under GDPR.

Companies are duty bound to have processes in place to handle data breaches - the next steps in your scenario is making the Manager aware they have committed a data breach by discussing the data with an unauthorised person. Was the "non- manager employee" you? If so then it would be you who would highlight the breach under GDPR as it sounds like they are clueless and may not know they've done anything wrong.

GDPR emphasises detriment to the individual (loss, embarrassment, discrimination) as a consequence of the person's data falling into the wrong hands. So you'd need to clarify to the manager in what way the person risks suffering due to the data breach. Or you could let the person know, and get them to raise the issue.

Is that something you feel able to do? Raising it direct to the Manager in the first instance (in confidence) is better than reporting them to HR to give them the chance to explain.

Meant to add, under GDPR, the Manager is duty bound to inform that employee that they've committed a data breach with their data, within 72 hours of the breach.

Whether you'll get the Manager to be dragged kicking and screaming into 2018 (when GDPR became law) is another matter.

Thank you for your replies Daisy - that's really helpful.

Not only is the manager breaching confidentiality but they should also not be reading detailed medical reports.

As a manager they need to know enough to make any work adjustments and no more. Who sent them the confidential details?

@MiriamWDiep I'm reporting your post. You have breached MNHQ regs by advertising!